Univention Bugzilla – Full Text Bug Listing |
Summary: | Missing parameter to set up a share using Windows ACLs | ||
---|---|---|---|
Product: | UCS | Reporter: | Christina Scheinig <scheinig> |
Component: | Samba | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | alexander.wotschke, andree.hingst, botner, gohmann, grandjean, requate, stephan.hendl |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.206 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2018092121000827 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Christina Scheinig
2018-09-21 16:45:38 CEST
set 'map acl inherit = yes' if univentionShareSambaNtAclSupport and univentionShareSambaInheritAcls are set 41a71556033ad3ecfacb67815c728d52b039e8cf - univention-samba4 d03c3b48ab19acb61c9629cbdff1d8f9231b4fc8 - yaml Please consider the univention-samba package too since we havn't univention-samba4 installed. 2ec7403f52f13ed087c00616ce4757d0996464a5 - univention-samba b3d4b3dfce708f9a9ba8b7c5c7419af35f64dd9b - univention-samba.yaml In section https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File the Wiki article says: "On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually." "must not" == "darf nicht". So, I'm fine with setting this in univention-samba, but I'm unsure about univention-samba4. I cannot see any damage done by setting this parameter, I guess the wiki article wording is too strong at this point. On the other thand, the text is marked with an exclamation mark. Did you check that this is Ok on a Samba AD DC? Did you check if the user.SAMBA_PAI cannnot be found already in the file share backing the share without this change? The wiki article also recommends putting "map acl inherit" into the global section to make it default for all shares. That would have the advantage that the customers affected by this don't need to touch every share on every file server. user.SAMBA_PAI seems to be set only if "map acl inherit = yes" is configured, even on a DC (In reply to Arvid Requate from comment #5) > The wiki article also recommends putting "map acl inherit" into the global > section to make it default for all shares. That would have the advantage > that the customers affected by this don't need to touch every share on every > file server. not sure, we have a per share config "Inherit ACLs", so making this a global option is even more confusing ps "map acl inherit = yes" works with sysvol but the samba restart confused my "Gruppenrichtlinieneditor" new Bug #48222 for sysvol ... share config If I correctly understand the smb.conf man page the "map acl inherit" can be set without "inherit acls", but it's ok. |